How a Google Headhunter’s E-Mail Unraveled a Massive Net Security Hole

DKIM is an anti-spam mechanism. It does <i>not</i> authenticate the sender of an email message; to do that, use something like PGP. This is an interesting story, but it's not a story about a "massive net security hole". Mail on the Internet has always been spoofable.

Seriously old news... I attacked Facebook's 512 bit DKIM key back in 2010: <a href="http://blog.jgc.org/2010/06/facebooks-dkim-rsa-key-should-be.html" rel="nofollow">http://blog.jgc.org/2010/06/facebooks-dkim-rsa-key-should-be...</a>

&#62; <i>Harris thought there was no way Google would be so careless, so he concluded it must be a sly recruiting test to see if job applicants would spot the vulnerability. Perhaps the recruiter was in on the game; or perhaps it was set up by Google’s tech team behind the scenes, with recruiters as unwitting accomplices.</i><p>Ha! That's optimistic.

&#62;But the government of Iran probably could, or a large group with sufficient computing resources could pull it off.<p>Yes, I can see it now: <i>Iran endures crushing sanctions in order to pursue spam email program.</i>

I find it cute how clueless mathematicians and physicists are about how clueless we (programmers) are. Weak crypto? Assume it is a puzzle!

I hope this guy's inbox is full of job offers. That's a heck of a find.

“A 384-bit key I can factor on my laptop in 24 hours,” he says. “The 512-bit keys I can factor in about 72 hours using Amazon Web Services for $75. And I did do a number of those. Then there are the 768-bit keys. Those are not factorable by a normal person like me with my resources alone. But the government of Iran probably could, or a large group with sufficient computing resources could pull it off.”<p>"But the government of Iran probably could"...At this point I stopped reading, as this article became propaganda.<p>Did you know this month is National Cyber Security Awareness Month, as advertized by the DHS?<p><a href="http://www.dhs.gov/national-cyber-security-awareness-month" rel="nofollow">http://www.dhs.gov/national-cyber-security-awareness-month</a>

Full article: <a href="http://www.wired.com/threatlevel/2012/10/dkim-vulnerability-widespread/all/" rel="nofollow">http://www.wired.com/threatlevel/2012/10/dkim-vulnerability-...</a>

Dangerous move, other companies have would set the police on him for that stunt.

What a happy ending, no threats of jail or lawsuits.

Seems to be some conflation in this thread. Are DKIM and authentication (PGP) really comparable in practice?<p>Here's my take: DKIM is an attempt by _third parties_ (i.e. "email providers", not the author or the recipient of the message) to control who can send email (but guess what? anyone can send email, go figure). On the other hand, authentication (PGP) is an attempt to allow senders to sign messages and receivers to verify signatures (no third parties needed).<p>Bob printed his PGP public key on a card and gave it to Alice when they had lunch. He then signed an email message the following week using PGP and sent it to Alice. But Bob's "email provider" decided to block Bob's message because Bob didn't pay money to someone for the use of a "domain name" and Bob's "email provider" thought his email was "spam" because he hadn't been "authorized" (by paying money for use of a domain name) to send email.

Sloppy work by affected companies since RFC was unambiguous. But why didn't RFC keep it consistent by requiring verifiers to only work with the same minimum key length?<p>RFC 4871 (sorry for formatting but ipad issue) " signers MUST use RSA keys of at least 1024 bits for long-lived keys. Verifiers MUST be able to validate signatures with keys ranging from 512 bits to 2048 bits, and they MAY be able to validate signatures with larger keys. Verifier policies may use the length of the signing key as one metric for determining whether a signature is acceptable.<p><pre><code> Factors that should influence the key size choice include the following: o The practical constraint that large (e.g., 4096 bit) keys may not fit within a 512-byte DNS UDP response packet o The security constraint that keys smaller than 1024 bits are subjec to offline attacks..."</code></pre>

Ok, this got me scared, checked with Sendgrid support,of course they use 1024, back to breathing again.

I got one of those emails too once. I still can't figure out why. I did post to LKML a couple times in the past, but I haven't done anything kernel in over a decade. And a random Google recruiter emails me to congratulate me on my experience and offer me an unspecified position as a SRE. Not only do I have zero experience or interest in sysadmin and large server type stuff, they don't even have any facilities within 400km of me. What the fuck, Google?

DKIM is not the only tool for catching spoofed emails; to my knowledge SPF is more widely used because it is much easier to set up. I'd be shocked if the little Larry/Sergei joke email made it to their inbox since it would fail the SPF lookup.

What is the Direct Link to this guy's website?

Props to Wired for disclosing that their silly phony photo setups are phony. I found that comforting.<p>Props to Google for fixing the problem instantly.<p>Weird that he thought the email was phony based on content. Who wouldn't want a computer savvy math genius on their team? Google has lots.

Well, afaik key length isn't the problem. Weak algo is. I assume they use RSA, they should use ECC. 512 bits is more than enough.<p><a href="https://www.nsa.gov/business/programs/elliptic_curve.shtml" rel="nofollow">https://www.nsa.gov/business/programs/elliptic_curve.shtml</a>